search

Bre77 / TA-googlebigquery

https://splunkbase.splunk.com/app/5692/
4 stars 2 forks source link

Events or Metrics Index? #28

Open markodjukic opened 2 years ago

markodjukic commented 2 years ago

Hi,

I didn't see in the docs what type of index to use. The events one seems to work, but the would be better if we could use a metrics index.

Is it possible to use a metrics index?

Thanks,

Marko

Bre77 commented 2 years ago

This is completely independent of the modular input.

https://docs.splunk.com/Documentation/Splunk/9.0.2/Metrics/L2MConfiguration

You should be creating your own sourcetype with INDEXED_EXTRACTIONS=JSON and then a METRIC-SCHEMA to convert the indexed fields into metrics, or just rename the metric fields in your query to "metric_name:whatever".

The sourcetype I include uses KV_MODE rather than INDEXED_EXTRACTIONS, so dont try to use it for metrics.

[your:bigquery:metrics]
METRIC-SCHEMA-TRANSFORMS = mymetricschema
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
INDEXED_EXTRACTIONS = JSON
KV_MODE = none
DATETIME_CONFIG = NONE
TRUNCATE = 9999999

Oh, and if you cannot select a metrics index in the Splunk UI, then just change it using your Browser dev tools or in the inputs.conf directly. This is an annoying thing with the Data Input pages that I cant easily fix.